[Snort-users] Re: Fw: Cisco Vulnerability Testing Results

Jon Hart warchild at ...8039...
Fri Jul 18 11:16:20 EDT 2003


On Fri, Jul 18, 2003 at 01:46:39PM -0400, Gary Morris wrote:
> 
> Just to be sure, and becaue in an ideal world I shouldn't really be
> seeing any of these protocols in my network, I've left my definitions
> somewhat more broad.. 
> 
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 53
> (Swipe) detected"; ip_proto: 53; classtype:denial-of-service;)
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 55
> (IP Mobility) detected"; ip_proto: 55; classtype:denial-of-service;)
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 77
> (SUN ND) detected"; ip_proto: 77; classtype:denial-of-service;)
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 103
> (PIM) detected"; ip_proto: 103; classtype:denial-of-service;)
> 
> -gary morris, gcia

If you are using those sigs in Snort, you might also want to make use of
spp_conversation which can catch all unwanted and/or unused protocols
that might be swimming around your network(s).  See the config I posted
here:

http://marc.theaimsgroup.com/?l=snort-users&m=105849030507605&w=2

Also, a number of people have posted sigs that are not only matching
based on IP protocol number, but also on content.  Obviously this will
only catch the *tool* being used, and not the *exploit* which is far
from ideal.  For similar signatures to the ones you posted, see the ones
I posted here:

http://marc.theaimsgroup.com/?l=snort-users&m=105849245609117&w=2

Or get the latest and greatest Snort rules from Snort CVS.

-jon





More information about the Snort-users mailing list